Any reason you are using Computer Assignment instead of User Assignment?
This environment's history has been pretty workstation centric, and there's an enforcement of a user to workstation notion.
And the last time I tried using an AD security group to specify dlp exceptions per user, it totally didn't work at all.
To your original question, DLPe does not support Policy Assignment Rules. You will need to use the sub group/break inheritence method. You could still use tags and server tasks to move systems to a specific group and then assign a Computer Based Assignment policy just to that group.
Why would you exclude certain machines and create a security gap?
Unless there is a need to use Computer Based Assignment you would want to use User Based. The reasoning is that unlike a Anti-Malware product that does not care about a user's role, Data ties directly to a user's role.
You would want to get used to the User Based Assignments if at some point later you will be using Content Rules.
I have never faced issues with excluding users part of a AD Security Group. Distribution Groups do not have a SID associated with them and will not work.